Restricting external access

- if the client IP is from my internal network : full access granted
- if the client IP is outside my internal network : access to web client and imap/pop proxy is restricted to a group of users.

I plan to force the remote web access through a http reverse-proxy and put a zimbra-proxy in DMZ for remote imaps/pops access.

So the access scheme can also be read this way :

- if the client access the zimbra-apache server (which is only reachable from the internal network) : no restriction
- if the client access the zimbra web client through the http reverse proxy OR if the client access the zimbra-proxy in DMZ : access is restricted to a specific group of users

What is the best way to implement this policy ? Is there a way with COS ? Can PAM be used ? Must I rely on External Auth ?

That's not what EiZ asked. What you're pointing at is a way to restrict (in/out) SMTP. What he's searching is a way to restrict some users from logging in (through HTTP, POP, IMAP) when they use a specific zimbra proxy (basically, when they're outside the LAN).

Is there a way to do that with an LDAP filter (used for domain authentication) ? Are there any parameters (%...) which can be used to check the client's IP or the zimbra proxy he's using ?

Update?

Was a solution ever found for this?
I know we are a couple of years on, and Zimbra has evolved quite a bit, but I also have the same requirements. Namely I only want a small subset of my Zimbra users to have external access. These will have higher password requirements, while the others can stay more relaxed.

I know that via POP and IMAP I can indicate if a user is allowed access through a proxy or not, but can this also be done for HTTPS. Maybe some way of getting Zimbra to drop the connection once logged in if the user is in or out of an IP range.

I have thought about setting up a separate proxy server and feeding it a limited LDAP range?

I solved my problem, buy giving all users very long and random passwords.
Then using my own gateway to authenticate those users I trusted, and connecting them into Zimbra using the pre-auth ability of Zimbra.
This dose mean that anyone using the mobile sync has to use a very long and complex password, but they all hand their phones into me to set-up. Those with laptops also have to go through me, but then I have full control over them.
-Si-